[0:00:00]  Luke Connolly: Welcome to the Cyber Insider Emsisoft's podcast all about cybersecurity. Your hosts today are Brett Callow, threat analyst here at Emsisoft, and Luke Connolly, partner manager. And we're very excited to have Meredith Griffanti with us today. Meredith is the global head of cybersecurity and data privacy communications at DC based FTI Consulting, a role she was only recently promoted into. So congratulations on that, Meredith. She started her career on Capitol Hill and then joined Equifax, where she had the pleasure of handling the response to one of the biggest data breaches of all time. She's based in New York and is in the process of becoming a certified Information system security professional and last year traveled with her entire family to watch the World Cup in Qatar, where she was cheering for Uruguay. Welcome, Meredith, and thank you for taking the time to join us today. 

[0:01:08]  Meredith Griffanti: Well, thank you very much for having me, Luke and Brett. I'm glad to be here. 

[0:01:12]  Luke Connolly: And maybe to start off and to satiate the curiosity of our listeners who aren't from Uruguay, you could start by refreshing our memories as to how they fared in the World Cup. 

[0:01:23]  Meredith Griffanti: Well, unfortunately, they did not make it out of the first round, but I actually had the pleasure of living in Uruguay. When I worked for Equifax, I was the head of communications for our Latin America region for the company, and I lived in Montevideo, which is the capital of Uruguay. Went to see a few games when La Celeste, as they're so lovingly called, played, and it's part of the culture in South America to be a big football fan. 

[0:01:55]  Meredith Griffanti: And I sort of adapted that and made sure my entire family had the chance to watch them play in Qatar. So that was a really cool experience. Every four years, my entire family goes to the World Cup. It's kind of a thing we've always done, so it was great to do that with them and to be there this past year. 

[0:02:15]  Luke Connolly: That's fantastic. I've heard Montevideo's is beautiful. So very envious of you for being able to live there. Really quickly to start off, I mentioned that you were just promoted, but what is it that you do at FTI Consulting? 

[0:02:29]  Meredith Griffanti: Sure. So I lead the global cybersecurity and data privacy communications team at FTI. We are, for lack of a better way to put it, a PR team that is specialized in crisis communications around incident response. So we sort of parachute in when a company goes through a ransomware attack, insider, threat, business, email compromise, you name it, and we help the company figure out what to say to their most important stakeholders, be it customers, employees, media, regulators, business partners. So we really come in to help them figure out how to be as transparent as they can be around what happened while not getting ahead of the forensic investigation or saying or doing anything that they'll have to walk back later. 

[0:03:21]  Brett Callow: How long had you been with Equifax before the breach? 

[0:03:25]  Meredith Griffanti: I was at Equifax for a total of six years. I think it had been a little over four years before the breach happened. So I was sort of the veteran on the PR team. I was still in my Latin America position when the breach happened and got called home to headquarters to help triage the response to the incident. And that was a crisis that lasted for about a year, really, when you kind of think about them first disclosing the incident, their CEO resigning, insider trading allegations, 50 state class action lawsuit, and then ultimately the indictment of PRC Nationals. That entire process lasted about a year, so that I was quite busy with the incident itself. 

[0:04:11]  Meredith Griffanti: And then I really fell in love with cyber, working for the company's post breach CISO, who's been a longtime mentor of mine and really taught me everything I know about cyber. My role with him was to help the company to communicate around what they were doing differently, how they were rebuilding the cybersecurity program and maturing it and rebuilding trust with customers all around the world. So I'll never forget the days of sitting in his office and him drawing out on a whiteboard for me, like how firewall worked and why it was important for the board to understand the investments that the company making and upskilling, bringing new people on board. He's a really fantastic leader, is a guy by the name of Jamil Farshchi, and someone I'm still quite close with to this day. 

[0:05:01]  Luke Connolly: Just wondering, and I'm not sure if you're able to answer this, but did they have a response plan in advance? 

[0:05:07]  Meredith Griffanti: They did. Equifax was always a company that took cybersecurity seriously. I would say they had incident response plans. They tabletopped regularly, like many companies do. But I think what we saw in that incident was, number one, sort of an expectation that it would eventually blow over, that folks just didn't care that much about a data breach at a company that wasn't a household name for the most part. 

[0:05:38]  Meredith Griffanti: And when we tabletopped and we thought about cyber situations, I don't think they were quite envisioning a scenario where literally half the United States was impacted and affected by this attack. Nor did we envision some of the things you just can't plan for in a worst-case scenario happening. Meaning this was during I think it was hurricane Irma. It hit one of our call centers. That was surge capacity for us during the incident. 

[0:06:08]  Meredith Griffanti: Our customer service team mistakenly tweeted out a phishing link. We tried to be a provider of our own credit monitoring services, which I think the company bit off a little more than they could chew on that front and then of course, the insider trading allegations, the CEO resigning, FTC, FCC, DOJ investigations, testifying nine times in front of Congress. I mean, these are things you just don't land board your typical tabletop exercises. So now when I'm helping companies to prepare, I always think to help them think about like, what would your worst enemy do to you if they were trying to take you out and how do you prepare for that kind of scenario and also practice it more than once a year? Refine your plans, get better, poke holes in things, muscle memory. 

[0:07:02]  Meredith Griffanti: These are things that you got to wake up and think about every single day. 

[0:07:06]  Brett Callow: Knowing what you do now, is there anything you would have done differently in that incident? 

[0:07:12]  Meredith Griffanti: I think when we look back, obviously I don't work for Equifax anymore, but they had a lot of lessons learned, more so from a crisis management standpoint. I think actually before I left, I helped to write sort of a lessons learned post breach type of white paper that we shared quite broadly. And there were things like have a decision maker who's the shot caller right throughout the incident. I think there are a lot of people, cooks in the kitchen, people in various roles that had to sign off on things and get approval processes down. 

[0:07:50]  Meredith Griffanti: So when we were thinking about responding to hundreds of media inquiries, there was no ultimate decision maker on things and eventually we got there. But those types of roles, responsibilities, escalation protocols and processes, those are things you want to have down in your playbooks now right before an incident happens. You don't want to be building that while flying. So now when I'm helping companies to prepare and they're like, can you write us a bunch of templates that we can just pull off the shelf and use in the event of an incident response scenario? 

[0:08:28]  Meredith Griffanti: It's really not a great use of your time for me to write a bunch of fictitious media holding statements for you. Let's get really granular on how you're set up from a work stream process. Who's the decision maker on the legal work stream? Who's running the forensic and investigation work stream? Who's on point for comms, customer comms, regulator comms, employee comms and how are those different work streams sharing information back and forth so that they're all moving together and progressing at the same time. 

[0:09:01]  Meredith Griffanti: So those are the types of things we focus on now. And a lot of the lessons learned that I applied to my day to day work when it comes to preparedness. 

[0:09:10]  Luke Connolly: It sounds like a perfect storm of things that were hitting Equifax. And we spoke with Ciaran Martin, who was the founding CEO of the National Cybersecurity Center at GCHQ last month and he's pretty big on Don't Catastrophize. But at the same time, when you're planning, you really have to imagine the worst possible scenario, a combination, a confluence of disasters, whatever they may be, so that you can don't get stuck in the moment and unable to respond. 

[0:09:38]  Meredith Griffanti: That's a great point. I was just telling you before we hit record, my day has been turned upside down because out of the blue, one of my clients was called to testify in front of Congress about their breach. Unexpected, out of left field, certainly not something they had planned for, but that's kind of the crazy world of cyber we live in. You never know what the other shoe to drop might be. Be it reaction from the threat actor and pressure tactics they might deploy or reaction from various regulators and stakeholders. 

[0:10:11]  Luke Connolly: Right. And this speaks to something, this question talks to something you mentioned earlier, which is crisis communication can be tricky because the press and stakeholders want to know what's happening as soon as possible. But what organizations say and what they don't say can come back to haunt them down the road if they get something wrong or whatever. So how can they navigate that? How can they navigate that with their communications plan? 

[0:10:36]  Meredith Griffanti: I think it's a combination of having the communications team plumbed in and having a seat at the table in the broader context of an incident response team because so often, as I talked about before, you've got these work streams where the forensic team is learning more as the minutes go by. The legal team is kind of overseeing and directing the investigation and it is very involved. Can say, can't say. 

[0:11:03]  Meredith Griffanti: And then sometimes that information just gets passed down to the team, like in an ancillary way and they're not really equipped to go out there and talk to the press or develop proactive communications for customers. And if they had more visibility into what was going on in terms of forensics and the legal strategy, they could really be more effective in terms of what they're recommending. A lot of times we see clients that are hit by a ransomware attack and Brett and I have talked about this a lot, go out there and say, oh, it's a cybersecurity incident or a network disruption. 

[0:11:37]  Meredith Griffanti: A couple of days go by and then it's an attack. A few more days go by and ultimately they own up to being a ransomware attack. And then you get into the whole like do you say data was compromised? Do you say, oh no, yet how do you kind of navigate this evolving, very fluid situation? And our recommendation is always to be as transparent as you possibly can be without putting yourself in that position where you say no evidence data has been compromised and then you don't really have any evidence and you really don't know what you're dealing with. So not getting ahead of the forensics in terms of that type of scenario is really critical. So I think the more you can ingrain the crisis comms team in the overall process and incident response team, the better off everyone is. 

[0:12:32]  Meredith Griffanti: There's always this question of protecting privilege and how involved can you have a PR team be? But at the end of the day, you got to do what's best for your stakeholders, your customers, your employees, and how can you communicate with them if the comms team only has half the picture in terms of what's going on? 

[0:12:54]  Brett Callow: What type of incidents are you typically involved with? Is it mostly ransomware? 

[0:12:59]  Meredith Griffanti: I think these days it's a lot of double extortion, triple extortion type ransomware. We're seeing an uptick in espionage, IP theft type of incidents, which we didn't work on as many of those last year. Always the occasional APT sprinkled in or nation state type of activity, which I frankly enjoy a lot. There's not as much of a need on those. When you think back to the Equifax Nation state style attack, there's not as many of those that are going gangbusters public because they tend to stay a little bit more quiet in terms of press coverage and having to disclose because there's not that operational disruption that you get with the ransomware style attacks and then a ton of preparedness work. As I said before, everyone's worried about what's going to happen to them and how they get ready for these SCC and YDFS types of proposals that are coming down the pike. So we are doing a good bid on preparedness. And then I would say the last thing that we'll be focused on in light of those proposals is an app called Secure Your Seat, which is all about helping the CISO, who's, you guys know, very technical, very KPI oriented. 

[0:14:21]  Meredith Griffanti: How do we help the CISO to paint a better picture of risk, risk tolerance, risk acceptance at the board level. So that's a lot of fun and a new thing that we're working on. 

[0:14:33]  Luke Connolly: Just because I do I like to fill in the acronyms APT you talked about nation states. APTs are advanced persistent threats. They're nation states using their resources to go after either nation states or corporations for money or for intellectual property or whatever. And CISOs, of course, are chief information security officers. So let's get into the nitty gritty. Meredith, what's your most interesting war story? You must have seen a lot of things with the customers that you've dealt with. I know that you can't probably mention names, but what sorts of incidents really stick out in your mind? 

[0:15:07]  Meredith Griffanti: One, I can talk about by name. It's public because our team actually won an award for the Crisis Communications Response in conjunction with the client's communications team. That's Colonial Pipeline, certainly one that most people are familiar with. It was a dark side ransomware attack that hit the Colonial Pipeline IT infrastructure. There was worry about the potential for that threat to migrate to OT. So the pipeline itself, operational technology, it did not. But out of an abundance of caution, the company shut down the pipeline while they were investigating. 

[0:15:44]  Meredith Griffanti: And that caused sort of East Coast nationwide well, not nationwide, but an East Coast fuel shortage, a rush at the pump, and big cities. It was the first time I think there was very visual footage of the real world impact of a ransomware attack. You saw people taking trash bags and big trash cans to those gas stations and filling them up and kind of hoarding gasoline. And the White House obviously got involved. There were emergency orders that were handed down by the White House, and we have a lot of state governments get involved as well. So that was certainly one to remember. 

[0:16:27]  Meredith Griffanti: I mean, the CEO was invited to testify, invited to testify in front of Congress twice. We were involved in helping him to prepare for that. We took a little bit of a different tactic when it came to actually talking about paying the ransom and the reasoning behind that. So that was quite interesting. We got on it ahead of the congressional hearings and actually did a sit down with the Wall Street Journal to talk about why we paid the ransom. 

[0:16:56]  Meredith Griffanti: We did a sit down with Bloomberg to talk about root cause. My team was involved in helping to brief the White House press secretary every day, as well as a cohort of government agencies. So it was really a sleep and shifts type of project for my team for a number of days on end. I think the company did a tremendous job. I might be biased, but of really getting out there early, talking about the fact that it was ransomware, giving consistent updates to its shippers, to the general public. 

[0:17:33]  Meredith Griffanti: We were very engaged with obviously I mentioned government, but also with the media in helping them to understand what happened, what operational workarounds we were putting in place, how we were securing the pipeline while OT was down, and what we were doing to get it back up and running as quickly as humanly possible. So ultimately, I think it was a really interesting case study. If you recall, the DOJ was able to fall back some of the ransom payment, working with chain analysis and some other entities in tracing that money back to dark side. So just say cool one to be involved in, but certainly one that was memorable for me. 

[0:18:21]  Brett Callow: What's the most extreme tactic you've seen one of the gangs used? 

[0:18:25]  Meredith Griffanti: Oh, very timely question. So the Abbott case right now and Brett, we're quite used to seeing the typical pressure tactics from these gangs in terms of extortion, meaning they're calling employees, they're heckling customers of the victimized company, really trying to publicize the event, press, those types of things. But I had one a couple of weeks ago where the threat actor group actually sent a bouquet of flowers and a condolences card to the house of the CEO of the company. 

[0:19:02]  Meredith Griffanti: So that was a new one for me and I would have to say probably one of the most extremes. Another case we worked on was for a bank that was being acquired by a larger bank and the bank that was the seller did not want to pay the ransom. So the threat actor group reached out to the CISO of the buyer bank trying to get them to pay the ransom. They were very attuned to what was going on in the M&A process and clearly were keeping up with the financial happenings of the company. 

[0:19:34]  Meredith Griffanti: So that was another one that was quite out there as well. 

[0:19:39]  Brett Callow: What's the most common communications mistake that companies make? The one thing that they often do that they really shouldn't? 

[0:19:48]  Meredith Griffanti: Oh, great question. I have to say, I understand the reluctance to come out of the gates gun blazing in terms of saying that an incident was ransomware, but I feel like so often, as I said before, we see companies prolong the news cycle by saying it was an outage and then moving to security incident, then moving to cyber attack, then ultimately ripping the band aid off and saying it was ransomware. It's like it happens to everyone these days. It happens to Fortune 50 companies, it happens to small hospitals. 

[0:20:26]  Meredith Griffanti: Just say it and go out there and help your customers by sharing the IOCs, telling them what happened, everyone's worried about by saying we're into more and immediately after they start answering data impact questions and the time clock starts ticking when it comes to regulatory notices. But you're going to have to go there anyway, so just be honest about what happened. That's a big frustration for me. Just from the comms perspective, I would say that's one. 

[0:20:57]  Meredith Griffanti: The other one I touched on briefly. We've seen a number of companies, and I know you guys have seen it too say immediately out of the gates that no data was impacted. No evidence of data, in fact, no evidence of data exfiltration. But again, you don't really have a ton of evidence to work with because the threat actors are smart. They cover their tracks, they wipe logs, they destroy backups. So it's really hard to defend that, I think, when you're making statements based on your evidence at hand. So we see customers have to or clients have to walk that back. The other thing I think I see often is this when you're a B2B customer or B2B client sorry, B2B entity that is servicing end customers, there's like a reluctance to get on the phone and talk to them. Which I get because the main, I think, guiding principle in crisis comms is you want everyone seeing from the same hymnal. You want everyone to be using the same talking points, talking about the internet in the same way. But also you've got customers that have real questions about the risk to their own networks. 

[0:22:11]  Meredith Griffanti: Meaning is the malware self-propagating? Am I at risk of infection? Is it okay for me to do business with you or to maintain this point of connectivity between our systems and without those assurances? And someone on the phone picking up the phone and saying like, hey, look, here's what I know. I'm willing to get our Infosec team on the phone with yours. We can share IOCs with you. We can tell you where we are in the investigation, whatever you need here. 

[0:22:43]  Meredith Griffanti: This is that mentality where it's like still wall customers until we have a final forensic report. Like why that's not good communications or business practices by any means. We're here to help companies communicate, not say nothing. 

[0:23:03]  Luke Connolly: Whenever I see a press release that says there's no evidence, there's no evidence that customer data has been lost, I always wonder is there evidence that it hasn't been lost? How hard have you looked? So when thinking about companies calling in specialized crisis communication help, I think of companies I've worked for companies of 20 people or 50 people, 100 people. How small a company should consider that and when just for any size company, when should they consider using someone external rather than in house PR resources before an incident happens? 

[0:23:37]  Meredith Griffanti: Ideally. But I mean truly, the companies I think that bear the best in incident response scenarios are the ones that we've been working with on preparedness plans that we've gone through roles, responsibilities, tabletops workshops. And they've built that muscle memory on not only how to put pen to paper on responses that they're going to need during a crisis scenario, but they've done that and involved their external advisors. 

[0:24:11]  Meredith Griffanti: Meaning we know who the incident response team is from a forensic standpoint. We know their legal counsel. We've all gotten in a room together. We've shaken hands. We're not meeting on the day that encryption happens. Those companies really do tend to do that for those that are bringing us in that I am in all the live wire situation, the sooner the better. Because the first thing that we're going to do is help to craft a narrative around what we know to be fact right at that point in time. 

[0:24:40]  Meredith Griffanti: Then we're going to start scenario planning. What do we do if data hits a shame site? What do we do if the threat actor starts heckling your employee customers? And the sooner we can get involved and start prepping comms for each one of those crazy scenarios, the better off that a company is going to be because they've got that playbook ready to go and ready to deploy no matter what happens next. So ideally you don't want to be reacting to those things in real time. You kind of want some time to breathe, put those things down on paper to make sure everyone's aligned and knows what they're going to do show that the worst happened, the next kind of worst thing to happen in the incident happens. 

[0:25:26]  Meredith Griffanti: And in terms of size, like I said before, I've worked with Fortune Five companies, and those guys have really built out communications teams. And they might have 50 resources on deck in house to draft things, to circulate them through approval processes, but likely they're really good at handling crises in their industry. Meaning if you're a huge airline, you're probably awesome and really ready to respond to a horrific plane crash or a passenger getting dragged out of a plane. 

[0:26:08]  Meredith Griffanti: But cyber crisises aren't something that they see every single day. So I think benefit that we bring is this is all we do. I've got 50 people on my team where the most junior person on the team has done 100 of these. So we can really help them to look around corners and just sort of anticipate for an actor activity or like I said, the next worst thing to happen that they need to be prepared for. So I think having that senior level council just as an extension useful. 

[0:26:42]  Meredith Griffanti: And then for smaller organizations that just don't have the resources or the bandwidth to be building out crisis communications playbook in the middle and also trying to answer phones or whatever else it may be that they're multitasking and doing where we can do that as well, which is nice. So I'd say again, the sooner the better. 

[0:27:05]  Luke Connolly: Just one thing I wanted to touch on, based on what you said, Meredith, I think it's really important in our industry that we try to stop the shaming that people or companies feel if they do have an attack, if they are the victims. Because as you said, it happens to massive Fortune 100 companies, it happens to small companies, it happens all over the place. And Emsisoft, Brett and I are with a software company that provides endpoint protection. If anyone tells you that their software is completely going to protect you against everything, they're lying. 

[0:27:35]  Luke Connolly: Brett and I were actually joking earlier this week. We saw a company that has a guarantee, guarantee you won't get hacked, and then in small print, we'll give you back your license fee. Thanks very much. That's very helpful. 

[0:27:49]  Brett Callow: You ever meet resistance from in house PR or are they normally quite happy to be able to hand off these situations? 

[0:27:59]  Meredith Griffanti: I think just having been an in house PR person at one point in my career that I don't want to say felt threatened when outside consultants came in, but was like, this is my space. I can handle this. This is my company. Nobody knows this company better than me. I think there's just a different perspective that outside consultants who do nothing but this day in, day out and bring to the table. And I quickly realized that when I needed help, I was going, at Equifax I was going through this massive cyber incident for the first time in my career. I had certainly never been through the domino effect crises that came with that meaning. Insider trading allegations for four executives, government investigation. So having folks on the team that were an extension of the team to help and had seen those things was almost like a comfort thing for me. And I realized they were there to support me, to help me, to make me look good. 

[0:29:09]  Meredith Griffanti: And that's the approach that we take when we do get a little bit of pushback. And it happens from time to time with the corporate communications folks. It's like, look, we're here to help you, to make you look good, to make your jobs easier. Because again, we got 20 matters going on right now. And I guarantee you what you're going through is probably happening to about twelve of my other clients right now. 

[0:29:40]  Brett Callow: What about very small businesses that really don't have a PR team? How should they respond? How can they respond to an incident? 

[0:29:49]  Meredith Griffanti: I don't know that it's that different from very large companies. I think that no matter what size your business is, you face some level of cyber risk. And having it down on paper, even if it's just roles, responsibilities, and what the key actions that you are going to take in the first 72 hours of an incident, having that down on paper will put you in such a better place than trying to invent that. 

[0:30:21]  Meredith Griffanti: As I said before, the moment that encryption happens, right? That's kind of like for me, a blueprint for success is putting that plan down on paper and knowing in advance, even if you don't have them in your regular tabletops or simulations because you can't afford it. But knowing the call from an insurance standpoint, from a council standpoint, crisis comes forensics ransom negotiators. Just know that you're going to call and take the time to meet them in advance so that you have somewhat of a relationship rapport with those guys when the worst-case scenario happens to.  

[0:31:05]  Brett Callow: Move away from communications for a moment. What's your take on the question of banning ransom payments? Or at least severely restricting the circumstance which they can be paid? 

[0:31:16]  Meredith Griffanti: So, not speaking on behalf of my employer, Meredith Griffanti's opinion, I just don't see how banning ransom payments is feasible. I mean, we work with companies all the time, and I'll give you an example who have policies in place that they under no circumstances will negotiate with. Terrorists, pay ransoms, and then while depending on their organization, the operational downtime is so significant that they're taking a huge financial hit, much greater than the ransom payment or the data that was stolen from them is so sensitive and so reputationally harming that they reconsider really quickly. And I've seen boards flip on a dime basically, when these types of incidents face them. 

[0:32:10]  Meredith Griffanti: And I think when you're talking about situations like a Colonial pipeline, like hospitals that are impacted where nation is facing a gasoline shortage or hospitals are having to divert emergency services or they can't treat cancer patients, that makes you reconsider what's the lesser of two evils really quickly. We worked for a hospital recently that had a ransom payment, ransomware attack and was adamant about not paying the ransom and then discovered that video footage from the hospital had been stolen and it was pretty awful video footage and that their board reconsidered paying the ransom very quickly and settled that case ultimately. So I don't think it's plausible. 

[0:32:57]  Brett Callow: What about restricting though? Should anyone be able to pay a ransom in any circumstances? 

[0:33:03]  Meredith Griffanti: And I certainly believe in obviously the checks and balances that exist with sanctions. I'm a huge proponent of collaborating with law enforcement, CISA. We actually have on staff on my team the first head of Public Affairs and Communications from CISA. She's been a tremendous add to the team. But I think the more intel we can share with law enforcement, with government, that public private sector partnership myth that everyone talks about, I mean, look, we are seeing these get disrupted. I think the government is doing everything they can to go after these guys to the extent possible. 

[0:33:49]  Meredith Griffanti: And that's a good thing, right? That's a good thing for all of us. 

[0:33:53]  Luke Connolly: Awesome. And with that, I would like to thank you, Meredith, for joining us. Your experience and insights have been very interesting. I'd also like to thank our listeners for tuning in. Stay up to date on the latest in cybersecurity by making sure that you subscribe to our podcast. Meredith, thanks again. 

[0:34:10]  Meredith Griffanti: Luke, Brett thank you so much for having me.